By year's end in 2023, PyPI will enforce the use of Two-Factor Authentication (2FA) for all user accounts.
The Python Package Index (PyPI), a popular repository for Python software packages, has announced plans to enforce two-factor authentication (2FA) for every account maintaining a project or organization by the end of 2023. This decision comes in response to heightened concerns about supply chain security in the open source community, particularly following a wave of malicious activity targeting various open source registries.
In recent months, researchers from Checkmarx reported malicious activity on platforms such as NPM in April and NuGet in late 2022. These attacks have compromised PyPI users in the past, leading to the implementation of the 2FA mandate to prevent account takeover attacks.
Earlier this month, PyPI temporarily suspended the creation of new users due to a rash of malicious attacks. The speed and volume of these attacks led to the temporary suspension as administrators were briefly unable to respond to incidents in a timely manner.
From now until the end of the year, PyPI will gradually gate access to certain site functionality based on two-factor usage. While some users or projects may be selected for early enforcement of the 2FA mandate, the exact criteria for selection have not been specified.
The Python Software Foundation has not commented on why the temporary suspension of new users was necessary, but has pointed to a recently published story about a lack of available administrators to handle the volume of malicious activity.
In a related development, the Department of Justice issued three subpoenas for user data stemming from March and April. The details of why that information was requested were not disclosed. The subpoenas requested several specific details, including names, addresses, records of session times, length of service, means and source of payment, records of packages uploaded, and other information.
It's important to note that Python is one of the most widely used programming languages, and the security of its ecosystem is crucial for the entire tech industry. The 2FA mandate is a significant step towards enhancing the security of PyPI and the open source community as a whole.
As we move forward, it is expected that the Python community will continue to work together to address these security concerns and ensure the integrity of the Python ecosystem.
Read also:
- Amazon customer duped over Nvidia RTX 5070 Ti purchase: shipped item replaced with suspicious white powder; PC hardware fan deceived, discovers salt instead of GPU core days after receiving defective RTX 5090.
- Cyber aggression intensifies by China-backed TA415 group, targeting Taiwan's semiconductor production and supply networks
- Malicious applications with 38 million installs on Google Play have been removed; here's what you can do to ensure your device's security.
- Business Woes Unveiled: The Sticky Situation of PCI Compliance Revealed as a Valuable Ally for Your Enterprise
%20for%20all%20user%20accounts.){kind=link}